Data associated with a network security event may be used to forensically analyze the security event and prevent the event from happening in the future. In the past, recording of network flow data to permit such forensic analysis typically has commenced once a security event has been detected, which results in network data sent or received prior to the event being detected not being captured. In some cases, recent data for all traffic associated with a protected network have been held in a buffer, with older data being overwritten by more recent data as the buffer becomes full. But given the size and speed of modern networks and limits in the storage capacity of such buffers and the processing capacity of associated processors, the data stored in such buffers typically provide only a limited ability to retroactively (i.e., after an event has been detected) capture data for a specific flow with respect to which a network security event has been detected. There is a need, therefore, for a more effective way to capture data associated with a network security event, and in particular data sent or received prior to it being determined that a network security event has been detected.